[~] The config file is expected to be at "/root/.rustscan.toml" [~] Automatically increasing ulimit value to 5000. Open 192.168.31.227:22 Open 192.168.31.227:80 [~] Starting Nmap [>] The Nmap command to be run is nmap -A -vvv -p 22,80 192.168.31.227
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-03 07:02 EDT NSE: Loaded 153 scripts for scanning. NSE: Script Pre-scanning. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 07:02 Completed NSE at 07:02, 0.00s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 07:02 Completed NSE at 07:02, 0.00s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 07:02 Completed NSE at 07:02, 0.00s elapsed Initiating ARP Ping Scan at 07:02 Scanning 192.168.31.227 [1 port] Completed ARP Ping Scan at 07:02, 0.04s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 07:02 Completed Parallel DNS resolution of 1 host. at 07:02, 0.00s elapsed DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0] Initiating SYN Stealth Scan at 07:02 Scanning 192.168.31.227 [2 ports] Discovered open port 80/tcp on 192.168.31.227 Discovered open port 22/tcp on 192.168.31.227 Completed SYN Stealth Scan at 07:02, 0.04s elapsed (2 total ports) Initiating Service scan at 07:02 Scanning 2 services on 192.168.31.227 Completed Service scan at 07:02, 6.02s elapsed (2 services on 1 host) Initiating OS detection (try #1) against 192.168.31.227 NSE: Script scanning 192.168.31.227. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 07:02 Completed NSE at 07:02, 0.51s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 07:02 Completed NSE at 07:02, 0.01s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 07:02 Completed NSE at 07:02, 0.00s elapsed Nmap scan report for 192.168.31.227 Host is up, received arp-response (0.00026s latency). Scanned at 2021-04-03 07:02:41 EDT for 8s
PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 64 OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0) | ssh-hostkey: | 2048 d0:02:e9:c7:5d:95:32:ab:10:99:89:84:34:3d:1e:f9(RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC5g/MV8SKReCc0Gw4yd38cdGBhSqaTIJMLAnLw9JBrzA78gPe+oE2rRjcGXwlCmHXE+rifBo/Sfevqn9oZr3Q4Yw8Z4UdGX6vVRJdJC85B9/75jIw+Nth7LOLVrcWCQEnU5k5emCRrCGHbFoxVhl0J4uk7QbR84YLZNooS52dOFhkHOspgpuECZ7vOiE2aD31pAnU2BF4rgQPnlp2gp/BVhXczPNrGCLGE34o60nlxPGaa7vw9wa2Tenx+isn2JuN/x2AaRYo7SolotwmOtfkUAEYOMh5sBhQaEobfnYsNV+Aee181UfRKkQe5gH/CHpui2UoCqTpCTRgegOXJ/pPD | 256 d0:d6:40:35:a7:34:a9:0a:79:34:ee:a9:6a:dd:f4:8f(ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGLAcHcmt/EqgpHTXiRYUz1jpyaUPhH7vWGjI3TaWgiCLS2yPkybhc23zlAVOe+ONWbfODzl2kvYqYWVpL8LLpw= | 256 a8:55:d5:76:93:ed:4f:6f:f1:f7:a1:84:2f:af:bb:e1(ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGHn1jYZNKIRzAqAeRJNZ9nsACR/xXaQSryHGEjSsQfQ 80/tcp open http syn-ack ttl 64 Apache httpd 2.4.25 ((Debian)) |_http-favicon: Unknown favicon MD5: CF2445DCB53A031C02F9B57E2199BC03 |_http-generator: Drupal 8 (https://www.drupal.org) | http-methods: |_ Supported Methods: GET POST HEAD OPTIONS | http-robots.txt: 22 disallowed entries | /core//profiles//README.txt/web.config/admin/ | /comment/reply//filter/tips/node/add//search//user/register/ | /user/password//user/login//user/logout//index.php/admin/ | /index.php/comment/reply//index.php/filter/tips/index.php/node/add/ | /index.php/search//index.php/user/password//index.php/user/register/ |_/index.php/user/login/ /index.php/user/logout/ |_http-server-header: Apache/2.4.25 (Debian) |_http-title: Welcome to DC-7 | D7 MAC Address: 00:0C:29:85:2D:44(VMware) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.9 TCP/IP fingerprint: OS:SCAN(V=7.91%E=4%D=4/3%OT=22%CT=%CU=31156%PV=Y%DS=1%DC=D%G=N%M=000C29%TM= OS:60684B59%P=x86_64-pc-linux-gnu)SEQ(SP=106%GCD=1%ISR=108%TI=Z%CI=Z%II=I%T OS:S=8)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5= OS:M5B4ST11NW7%O6=M5B4ST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7 OS:120)ECN(R=Y%DF=Y%T=40%W=7210%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A OS:=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0% OS:Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S= OS:A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R= OS:Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N% OS:T=40%CD=S)
Uptime guess: 0.187 days (since Sat Apr 3 02:33:38 2021) Network Distance: 1 hop TCP Sequence Prediction: Difficulty=262 (Good luck!) IP ID Sequence Generation: All zeros Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE HOP RTT ADDRESS 1 0.26 ms 192.168.31.227
NSE: Script Post-scanning. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 07:02 Completed NSE at 07:02, 0.00s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 07:02 Completed NSE at 07:02, 0.00s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 07:02 Completed NSE at 07:02, 0.00s elapsed Read data files from: /usr/bin/../share/nmap OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 8.63 seconds Raw packets sent: 25 (1.894KB) | Rcvd: 17 (1.366KB)
The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY,to the extent permitted by applicable law. You have new mail. Last Login : xxxxxxxxxxxxxxxxxxxxxx dc7user@dc-7:~$
$ mysql -u db7user -p d7db Enter password: # 输入 yNv3Po00 Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A
Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 15617 Server version: 10.1.38-MariaDB-0+deb9u1 Debian 9.8
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
Hope you enjoyed DC-7. Just wanted to send a big thanks out there to all those who have provided feedback, and all those who have taken the time to complete these little challenges.
I'm sending out an especially big thanks to:
@4nqr34z @D4mianWayne @0xmzfr @theart42
If you enjoyed this CTF, send me a tweet via @DCAU7.
Options: -c, --comment COMMENT new value of the GECOS field -d, --home HOME_DIR new home directory for the user account -e, --expiredate EXPIRE_DATE set account expiration date to EXPIRE_DATE -f, --inactive INACTIVE set password inactive after expiration to INACTIVE -g, --gid GROUP force use GROUP as new primary group -G, --groups GROUPS new list of supplementary GROUPS -a, --append append the user to the supplemental GROUPS mentioned by the -G option without removing him/her from other groups -h, --help display this help message and exit -l, --login NEW_LOGIN new value of the login name -L, --lock lock the user account -m, --move-home move contents of the home directory to the new location (use only with -d) -o, --non-unique allow using duplicate (non-unique) UID -p, --password PASSWORD use encrypted password for the new password -R, --root CHROOT_DIR directory to chroot into -s, --shell SHELL new login shell for the user account -u, --uid UID new UID for the user account -U, --unlock unlock the user account -v, --add-subuids FIRST-LAST add range of subordinate uids -V, --del-subuids FIRST-LAST remove range of subordinate uids -w, --add-subgids FIRST-LAST add range of subordinate gids -W, --del-subgids FIRST-LAST remove range of subordinate gids -Z, --selinux-user SEUSER new SELinux user mapping for the user account
ls -al total 36 drwx------ 4 root root 4096 Aug 30 2019 . drwxr-xr-x 22 root root 4096 Aug 29 2019 .. lrwxrwxrwx 1 root root 9 Aug 29 2019 .bash_history -> /dev/null -rw-r--r-- 1 root root 949 Aug 29 2019 .bashrc drwxr-xr-x 3 root root 4096 Aug 29 2019 .drush drwx------ 3 root root 4096 Apr 3 16:30 .gnupg -rw-r--r-- 1 root root 148 Aug 18 2015 .profile -rw-r--r-- 1 root root 74 Aug 29 2019 .selected_editor -rw-r--r-- 1 root root 1079 Aug 30 2019 theflag.txt -rw-r--r-- 1 root root 165 Aug 29 2019 .wget-hsts crontab -l # 这里查看一下 计划任务是否是我们所猜测的那样 # Edit this file to introduce tasks to be run by cron. # # Each task to run has to be defined through a single line # indicating with different fields when the task will be run # and what command to run for the task # # To define the time you can provide concrete values for # minute (m), hour (h), day of month (dom), month (mon), # and day of week (dow) or use '*' in these fields (for 'any').# # Notice that tasks will be started based on the cron's system # daemon's notion of time and timezones. # # Output of the crontab jobs (including errors) is sent through # email to the user the crontab file belongs to (unless redirected).
PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin # # For example, you can run a backup of all your user accounts # at 5 a.m every week with: # 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/ # # For more information see the manual pages of crontab(5) and cron(8) # # m h dom mon dow command
Hope you enjoyed DC-7. Just wanted to send a big thanks out there to all those who have provided feedback, and all those who have taken the time to complete these little challenges.
I'm sending out an especially big thanks to:
@4nqr34z @D4mianWayne @0xmzfr @theart42
If you enjoyed this CTF, send me a tweet via @DCAU7.